Top 25 Most Dangerous Programming Errors

It is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.

It is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

one-click attack or session riding

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

It occurs when an attacker attempts to execute system level commands through a vulnerable application.

personally identifiable information

It is an application that takes a parameter and redirects a user to the parameter value without any validation.

It is a flaw in an electronic system or process whereby the output and/or result of the process is unexpectedly and critically dependent on the sequence or timing of other events.

The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

It aims to access files and directories that are stored outside the web root folder.

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

The software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.

It is a flaw related to improper use of user input. Most programming languages has support for array structure.

The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor.

The software does not perform or incorrectly performs access control checks across all potential execution paths.

The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

The software does not encrypt sensitive or critical information before storage or transmission.

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Attempting to create non-standard and non-tested algorithms, using weak algorithms, or applying algorithms incorrectly will pose a high weakness to data that is meant to be secure.